Aumni can integrate with any identity provider (IdP) as long as it supports Security Assertion Markup Language (SAML). To learn more about how to add single sign-on (SSO) capabilities to your account, reach out to your customer success team.
About SAML single sign-on
SAML is an open standard for transferring identity, authentication, and authorization data between parties, such as an IdP and a service provider. SAML for single sign-on (SSO) allows authentication of Aumni users through your company’s IdP when you log in to the Aumni platform, making it convenient and more secure to access your account.
Setting up SSO
- To establish trust with Aumni, add an Entity ID, an Assertion Consumer Service (ACS) URL, and a Signing certificate in your identity provider (IdP).
-
-
- The Entity ID is the URL that uniquely identifies Aumni as a SAML entity or service provider.
- The Assertion Consumer Service (ACS) ULR is the endpoint on the Aumni side that listens for requests from your identity provider to enable communication between your IdP and Aumni. This URL is sometimes called a Reply or Callback URL.
- The Signing certificate is the Aumni certificate, stored on your server that is needed to maintain the trust relationship. It contains the necessary encryption keys for authentication.
- The Aumni SAML Metadata is a public endpoint that contains Aumni’s X509 certificate and other SAML configuration details that are called out in this document already. It is just included here for reference.
-
Use these details to set up the connection with your Identity provider (IdP):
Details | Description |
---|---|
Entity ID | urn:auth0:aumni:saml-company-name |
ACS URL | https://aumni.auth0.com/login/callback?connection=saml-company-name |
Aumni Signing Certificate | https://aumni.auth0.com/pem |
*Please replace “company-name” with your organization’s name. |
2. To enrich your identity profile with Aumni, configure the following identity attributes in your IdP.
-
-
- To map information from your Identity provider to Aumni, name your user attributes as follows, using the same capitalization and spelling.
- To map information from your Identity provider to Aumni, name your user attributes as follows, using the same capitalization and spelling.
-
Attribute | Description |
---|---|
The user email address | |
name | The name of the person to be authenticated |
username | The person’s username for the identity provider |
-
-
- This is important as it will help enrich your user’s identity in our system and minimize the potential for authentication issues.
- If your user attributes do not match, note that the Aumni configuration for your SSO may take more time.
- Once these steps have been completed, select Save in your IdP.
-
SAML information to provide to Aumni
Obtain the following information from your identity provider, and send these details to support@aumni.fund so we can begin to configure your SAML connection on our end:
Information | Description |
---|---|
Sign-in URL | The URL for your identity provider sign-in page |
X509 Signing Certificate | The identity provider public key, encoded in Base64 format |
Sign-out URL | Optional, but recommended - The URL for redirect whenever a user logs out of Aumni |
User ID attribute | Optional default is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: This value uniquely identifies Aumni users and if changed will result in a duplicate user being created. |
Protocol binding | HTTP-POST is supported. |
IdP initiated flow supported? | Aumni does not support IdP Initiated login flow due to security risks. We only support SP initiated login. |
Email domains and subdomains |
The email domains and subdomains that need access to the SSO. This is used to configure HRD (Home Realm Discovery) for all your associated email domains. |
Entity ID & ACS URL |
Send us the Entity ID & ACS URL you entered into your IdP during Step one. This is essential so we can confirm the “company-name” matches up with the Service Provider configuration on Aumni’s end. |
Additional FAQs
If you have questions or concerns, please reach out to support@aumni.fund.
As mentioned before, we are unable to support IdP-initiated logins at this time due to the security risks they present. A feasible workaround is to include a bookmark tile in your IdP that links to our login page (app.aumni.fund).
Furthermore, we do not support provisioning to protect the security, confidentiality, and data integrity of data mappings within the system. This is done carefully through checks and balances in the system.